Author Archives: theitriskmanager

About theitriskmanager

A IT programme manager specialising in delivering trading and risk management systems in Investment Banks. I achieve this by focusing on risk rather than cost. A focus on costs can lead to increased costs.

Trying to understand “Leave”

Like many people I woke up yesterday to find myself in a different country. London appeared to be stunned. The tubes were eerily quiet and subdued. After all, less than 50% of Londoners were born British. My mood oscillated between despair and anger. It feels like we are in a bad science fiction movie. Last night I tweeted that if Scotland is allowed a referendum on independence, London deserves one too. Two people responded that London was elitist and needed to pay reparations for the damage done to the rest of England.

I was stunned. Almost physically rocked by these statements.

This morning I woke up with a desire to understand what had happened. This is my attempt to understand. I am a child asking for help. Not a patriarch forcing my opinion on others.

I grew up in Leicester. The school I went to was multicultural. A third of my school were Asian (Indian), many from families that had fled Idi Amin… refugees. I first started to observe cultural segregation at Sixth Form College. Asian girls were discouraged from mixing with white boys. There was no tension, just segregation. My first experience of racism was at University in Newcastle. It was a small thing but I had not noticed that my friendship group was multi-cultural compared to other mono-cultural groups, but someone else had noticed. I have been fortunate to work in IT in the “City” for over two decades. In 2000 my team consisted of Four brits (one of Asian descent, one gay), an American, A Canadian, A peruvian, A Hungarian, An East German (former member of the East German Army), A Frenchman… you get the idea. When I arrived in the City in 1993, it was a magnet for the best and brightest in the UK. By 2000 it was a magnet for the best and brightest in the World. These are not upper class privileged sorts, they are hard working individuals that applied themselves to be good at subjects that many find boring and tedious and damned hard work. They work hard, they play hard, and they pay a shed load of tax. Being part of Europe is big part of why we have jobs in London. Paying tax is a way of contributing back to the society that we grew up in.

Londoners appear to contribute about 1/4 of tax*. About an 1/8 of tax is spent on London. That means that London is a massive net contributor to the rest of the country. As a Londoner I’m happy to do my bit to help the rest of the country.

Less than 50% of London was born British. London is an international city built on immigration. London does not appear to have the same kind of problems with immigration that the rest of England has. One of the most stomach churning and revealing stories in Brexit was the story Farage told of a little old lady saying “Come and see what immigration has done to our community” How can we not have empathy and sympathy for this little old Lady. I met an old Lady like that in the local launderette when our washing machine died. I live in a white middle class street. At the end of the street is the main road that is as multi-cultural as you can get. There are white working class boozers with menacing smokers stood outside who eye you as you walk past. There are shops servicing clientele from the Middle East, North Africa and Poland… everything is Halal. There is a Mosque that is next door to the Music Venue that caters for up and coming bands, weddings and office parties. It is not always harmonious, especially when it comes to finding a parking space. Parking is a problem, compounded by the mini cab firm where all the drivers are from Somalia. Though when I need a taxi to the airport, they are reliable and normally listening to Radio 4 as a way to improve their English. Its an integrated multi-cultural community where different groups respectfully co-exist… apart from the parking. Touch wood, I’ve never felt that threatened, apart from the scary little old lady in the launderette. Within five minutes she had told me she wrote regularly to David Cameron… until the police visited and asked her not to. She then confided she still wrote, but used an alias.

I am one of the 1%. My earnings are in the top 1% of the country. In London, that means I can just about afford a mezzanine or one bedroom flat in one of the “up and coming” parts of the City. At 1% I cannot afford to hop between countries to avoid paying any tax. I’m proud to pay my tax and consider people like Philip Green to be an enemy of the state for avoiding paying tax on a level that would pay for a hospital or a school.

I do not feel elite, especially when standing in a packed tube seating my  way to work and back.

Then Brexit, and the accusation that London is the elite and needs to pay reparation. What has London done wrong that the rest of the country has decided to destroy our jobs and our future? We are already paying in twice as much as we take out. Don’t blame us for parliament, we only voted a dozen or so politicians in. The rest of the country voted the rest in. Londoners hate the politicians and their Old Etonian shady deals with Philip Green as much as anyone. So what is going on?

I think Brexit is just another manifestion of a global phenomena. The world economy is changing. Engineering jobs are either moving to the most highly skilled areas of the world (e.g. Germany) or the cheapest areas of the World (e.g. Asia). There are fewer engineering jobs to go round. America is suffering the same problem which is giving rise to Trump. The best explanation I’ve read is that the blue collar engineering class does not want hand outs, they want jobs. According to Dan Pink, motivation requires Autonomy, Mastery and Purpose. Our engineering class is given nothing… just social handouts and jobs that will never let them achieve satisfaction. London’s sin has been to assume that paying for the NHS and Welfare for big parts of England was enough. Clearly it is not enough, message received. We need jobs, not McJobs, but real jobs.

The elderly in this country have been lied to and deceived during the Brexit campaign, by both sides. Pensions account for the largest part of the UK budget. Leaving the EU will result in inflation which erodes the value of pensions. Clearly the elderly in the UK are scared of immigrants. Even in my street, the elderly are scared. This is where we need to act. We need to create programs to integrate the elderly into modern communities so that they can live richer more fulfilling lives, lives with less fear.

So lets understand the relationship between London and the rest of England. A few years ago I encountered the Benjamin Franklin Effect. Its a cognitive dissonance that I think helps to explain the relationships between Parents and Teenagers. In effect, we like someone because we do something for them, rather than we like someone because they do something for us. I suspect that the rest of England is resentful of London whereas London likes the rest of England (because that’s where we come from after all). This also explains why Wales and Cornwall voted to leave the EU despite receiving massive support from the EU. They don’t want your money (they need it and resent you for giving it), they want their dignity (and the EUs money takes it away).

So here is a thought. We need to create jobs that have meaning for the rest of England. Lets identify a deprived area of England, and relocate the Government to that area generating jobs to revive the community. How do we pay for this? We simply sell the buildings that the government occupies. The British Government is housed in some of the most expensive real estate in the world, and there is absolutely no reason in the modern age for that to be the case. The houses of parliament can be redeveloped as a museum/leisure centre/theme park for tourists. Once the area is revitalised and if necessary, we move the government again. Perhaps every ten years or so.

I get the feeling I’m reading this completely wrong. Would love to know what I’m missing.

I am proud to be British and European, however Britain is about my past and who I am, and Europe is about my future and the future of my children.I choose to be European for the sake of my children and over the next two years I intend to fight (in the courts if necessary) to remain my European status. If that means London needs to leave Britain, so be it.

*It would be great if the government would make it easier to see how tax is collected and spent.


IIRMFW : Program and Reduce Lead Time.

One of the key risk management controls for an Agile Risk Management Framework is to limit the amount and time between investment and return.

A development organisation needs to deliver investments where the Lead Time and Weighted Lead Time are within agreed thresholds. Limiting the lead time also limits the financial value of inventory in the development organisation that is not delivering value to customers. An organisation may limit both the lead time (or weighted lead time) and/or the financial value of inventory (See CFD below).

Financial Value of Inventory

This leads to a new way of looking at the RAG status:

  • RED – The investment is over the lead time (weighted lead time) limit.
  • RED (Trending) – The investment is expected to breach the lead time (weighted lead time) limit.
  • AMBER (Trending) – The investment might* breach the lead time (weighted lead time) limit.
  • GREEN (Trending) – The investment is not expected to breach the lead time (weighted lead time) limit.

Organisations in transition often struggle to make lead time targets. It is possible that the organisation might allow longer lead times provided software is delivered into a pseudo production environment, and that there is a commitment from executives across the entire value stream to achieve the target lead time within an agreed time period.

* As indicated by a tool such as Troy Magennis’s Monte Carlo Simulation.

IIRMFW : Governance and Manage Risk (Part1)

The IT Investment Risk Management Framework for Agile development would be very different to that for Traditional approach. By its very nature, Traditional operates in the Obvious and Complicated domains of the Cynefin framework. Traditional assumes the correct answer which means it is not well suited to manage risks in the Complex and Chaos domains. The entire approach to risk management between Agile and Traditional is different. Traditional funds a list of features (Scope) to be delivered whereas Agile iterates towards a business value goal.

A traditional approach mandates a list of deliverables that need to be created to satisfy the SDLC. Agile mandates a list of risks that need to be managed in the context of the investment. This difference in approach means that two projects doing different things could both be satisfying the Agile Risk Management framework. Even stranger, there may be two projects following the exact same process but one of them satisfies the risk management framework BUT THE OTHER DOES NOT! For this reason, the policing service within the governance framework is critical and very different to traditional SDLC policing.

Traditional SDLCs are typically practice and deliverable based. There is a simple yes/no checkbox approach to policing the IT investment. e.g. Do you have a functional specification? And a project plan? And a test plan? Do you have 100% automated test coverage?

Agile Risk Management Frameworks are much more principle based. The policing service needs to be able to identify where there is risks because the approach is not quite right. e.g. On one team, the scrum master does all of the updates to Jira. On another team, everyone on the project updates Jira. Both projects are transparent but one might have a key man dependency. The policing service might ask to see a Skills Matrix or ask other team members if they know how to use Jira. Simply put, its not black and white.

The key role of the policing service is to challenge claims of “transparency”. To ensure that the perceived transparency is genuine. Having shed some transparency on risks, the policing service can suggest resources for the team to learn to improve. As they have a responsibility to the organisation, the policing service are responsible for the making the risk visible and recording it so that it does not become forgotten. Most teams do not intend to obscure information, often the problem is a lack of understanding and experience.

The diagnostic skills required of the policing service that allow them to identify risks that should be managed are similar to those of an Agile Coach. Even though the skills overlap, the Agile Coaches should never be used to implement the Policing Service. They can coach the policing service and help them acquire analysis skills. They should not act as the policing service, otherwise it will destroy trust between the team and the coach.

It is the responsibility of the policing service to ensure transparency on all risks. As such they should not report to a delivery organisation where there might be a conflict of interest between their responsibility to their management and the organisation. e.g. Consider private security guards versus independent police force.

It is the responsibility of the policing service to identify where the IT Investment Risk Management Framework is flawed. Either too constrained which limits the ability of the organisation to deliver, or not not constrained enough so that the organisation is exposed to risks that are not managed.

IIRMFW : Exec’s & Business Value

The IT Investment Risk Management Framework is the set of constraints that development organisations need to operate within in order for the associated risks to be managed appropriately.

The executives in an organisation have a responsibility to rhe investors when managing the risk surrounding the delivery of Business Value.

Executives responsibility for Business Value Metrics

The key metric that an executive is responsible for is:

  • The percentage of the IT Investment Portfolio that can demonstrate whether an investment generated a return.

There are two sub-metrics beneath this metric for the executive.

  • The percentage of IT Investments that are linked to a metric. i.e. Has the product owner stated the metric that will improve as a result of an investment (e.g. Story, Epic, Initiative).
  • The percentage of metrics that can be displayed. i.e. Is the metric available in a format that the improvement in the metric can be demonstrated. Note that the metric might be manually captured.

In effect the executive should be able to observe a graph for each metric that is similar to the one below:

Screen Shot 2016-05-30 at 10.30.53

as well as a summary of investments that looks like the following:


In the event that a metric is not available to be displayed, the executive should be committed to delivery of that metric within an appropriate time frame.

Risks Being Managed

These key metrics demonstrate that the executive is managing key business value risks. The risks managed are as follows:

The percentage of the IT Investment Portfolio that can demonstrate whether an investment generated a return. – This metric ensures that the executive has transparency into whether a return is being delivered by their portfolio of investments. The exact return delivered by a particular investment may be difficult to assess however the impact of the portfolio investment is transparent. It is not necessary to specify that the executive checks the return regularly as the metrics graph provide transparency that is not enhanced by taking minutes of metric review meetings. However, it is to the executives benefit to be on top of their metrics by reviewing them regularly so that they can intervene in a timely manner. A failure to intervene would be evidence that the executive is not performing their role properly.

The percentage of IT Investments that are linked to a metric. – This metric ensures that everyone in the executives organisation is focused on delivering value rather than functionality. It provides transparency on those that cannot prove they intend to deliver value (no metric assigned). This transparency also allows the executive to take a portfolio view and rebalance the portfolio if appropriate.

The percentage of metrics that can be displayed. – This metric indicates where a return can and cannot be demonstrated. If the return cannot be demonstrated, there is a massive risk that an investment might deliver no return ir even worse destroy value.

The Business Value Metrics Framework

All metrics should be part of an organisation wide standardised metrics framework. This has two benefits:

  • The standard framework makes it easier for product owners to identify the value they are delivering because they do not have to work it out for themselves.
  • The standard framework makes it easier to compare the value of disparate investments.

The business value metrics framework should be “open sourced” within the organisation with a product owner facilitating the addition and modification of metrics, and the decisions regarding the additions and modifications being made by the Business Value Metrics Steering Committee. The Business Value Metrics Steering Committee should be appointed by the board as the definition of business value in an organisation is key to its success.

A business value metrics framework is vital when an organisation relies on third party consultants to write business cases as there is a substantial conflict of interest. For example, there is a tendency to suggest attributes of a product as business value (e.g. Lead time) rather than business value (Conversion Rate). Product attributes are easy to deliver compared to those that depend on the needs of the customer and the market.

The Business Value Metrics Framework can be constructed using “Break the Model”. Identify an example (Tea Bag), Reflect if it is in-scope, Create an Example (Tea Bag -> Cup of Tea -> User Need -> Business Value) and then Model (Add it to the Hierarchy). The product owner performs this process based on the examples that are presented to them as not fitting in the model.

The Business Value Metrics Framework will probably map to your organisations Business Model. e.g. Freemium = Get users, Increase Activity, Get Revenue. Traditional = Get Revenue, Increase Activity, Prevent Churn.

Risk Adjusted Return on Capital is a good starting point.

  • Risk
    • Investment Lead Time (Weighted Lead Time)
      • Key Man Dependencies
    • Quality
      • ITIL measures
      • Failure Demand
    • Employee Happiness
      • Turnover
  • Revenue
    • ARPU (Average Revenue Per User)
    • Activity (Average Visits per Month)
    • Number of Customers
      • New Customers
        • Conversion Rate
        • Customers into the Funnel
      • Churn
  • Costs
    • ACPU (Average Cost Per User)
      • People Costs
      • Overheads

Disruptive Innovation versus Efficiency Innovation

The executive should ensure that the portfolio has the appropriate levels of Disruptive, Sustaining and Efficiency Innovation. Otherwise the organisation might discover its market being disrupted. Check out Clayton Christensen’s lecture for more details.

* The concept of the Business Value Cascade was created by Mark Gillett, Senior Vice President at Microsoft, responsible for Skype & Lync products. The first analysis and implementation was performed by Keith Beatie, now a partner at McKinsey.

IT Investment Risk Framework and Software Frameworks

An IT Investment Risk Framework is a set of constraints that an organisation imposes on its development organisation to ensure that IT Investments are delivered in a way that manages the risk involved. It should create failure containers so that any failure does not propagate across the organisation like the failure at Knight Capital which caused the organisation to fail.

The boundaries imposed by the framework should be negotiable rather than fixed, otherwise the framework may fail catastrophically. (Hat tip to Dave Snowden’s Cynefin Framework.)

The Risk Framework should NOT specify how the IT Investment is made, simply the way that IT Investment risk is managed. The Risk Framework specifies a number of Commitments placed on the development organisation when they accept funding for an investment.

By comparison SAFE and LESS are frameworks that seek to optimise the delivery of value to the organisation. They provide a number of enabling constraints in the form of principles. The SAFE and LESS frameworks can both be deployed within a IT Investment Risk Management Framework providing they satisfy the its constraints. In effect, they are an Option that the development company may adopt.

In summary an IT Investment Risk Management Framework is a commitment placed on a development organisation whereas the SAFE and LESS frameworks are options available to the aid development.

An Agile Risk Management Framework

I love working with smart people. They make it easy and fun to solve nasty problems. Tony Grout is one such person. He is a really deep thinker on the subject of theory of constraints. One of the problems faced by many large organisations is that they have a prescriptive software development life cycle or SDLC for short. The organisation insists that all IT Projects follow the SDLC. The SDLC is normally very binary in nature. If your project is of type XYZ, then you need to do ABC. This poses a problem for Agile development which doesn’t follow the same philosophy. Rather than one size fits all, Agile development adapt to the risk profile of the context they are operating in. Often without realising it, most Agile development follows Alistair Cockburn’s Crystal methodology.

At Lean Kanban London Day, Tony Grout and I presented our view on the Agile Organisation. (Hat tip to SAFE).


A key part of that organisation for any Large IT Organisations is the Governance Function. This consists of four key parts (A metaphor of speed restrictions for drivers is provided in brackets to aid understanding):

  1. An IT investment risk management framework. (The law stating 30 mph in residential areas. 20 mph is areas with people at heightened risk such as schools and hospitals)
  2. A policing* function to ensure that all investments operate within the framework. (Speed cameras and traffic police)
  3. A governance function to ensure the risk management framework evolves appropriately according to context. This function also acts to help interpret the framework in a particular context. (Courts and law making bodies)
  4. The responsibilities of ordinary citizens. (Driving tests).

Separate to the governance function is the capabilities that allow development teams to deliver IT investments. The problem with many SDLCs is that they combine the risk management framework with the capabilities needed to deliver them. The IT investment risk management framework should be the smallest set of constraints that the organisation imposes on the development and change organisation to ensure that the risks associated with the IT investment are managed appropriately. The constraints should be helpful and instructive rather than arbitrary. The constraints should give comfort to investors that their investment will be protected against the three categories** of risk, namely:

  1. Delivery Risk – Will the functionality be delivered.
  2. Business Case Risk – The IT Investment delivering the stated return.
  3. Existing Business Model Risk – Will the IT Investment damage the existing business model.

Tony and I categorised the risk management framework into the following attributes of an Agile development. If an IT Investment does not satisfy these criteria, it should be considered NOT Agile and thus managed under the existing SDLC. These categories are:


We even use them as part of our training.

LKD Manifesto

The policing function is particularly important for an Agile IT Investment Risk Management Framework as context is so important to the approach, and it is easy to game the rules. The policing function should work closely with the organisation’s Agile Coaches to help development teams learn to operate within the rules. This policing function should never be performed by Agile Coaches as it would destroy the relationship between the coaches and the development teams.

The IT Investment Risk Framework specifies the impact of each risk category on each part of the organisation.


Our next posts will expand on the framework, starting with the detail for “Delivering Value” for the “Exec”.

* By policing function, I am referring to one like an idealised 1950s Britain where the police are considered public servants (Dixon of Dock Green) rather than some countries where they are considered a domestic army to suppress the people.

** These three risks were first articulated by Steve Freeman and myself in an article published in the Agile Alliance’s Agile Times in 2005(Date ?).

Managing the Top 2 constraints in an organisation.

If you ask most people what the constraint is in an organisation, they will tell you that it is the budget. You can tell this from the amount of energy that companies put into managing and controlling budgets and funding. Much of the upper management spend all of their time and effort controlling budgets.

However budget is not really the constraint. Try this thought experiment. Imagine you have infinite budget. Imagine you have all the funding that you require. Imagine that your company has been bought by an infinitely rich benefactor who says “money is no object”, and means it. What is the constraint now?

Queues form in front of constraints when demand exceeds capacity. This lack of capacity at constraints results in work items being delayed. Constraints reduce the queues in front of downstream processes, and those downstream processes potentially run out of work to do. These downstream processes hungry for work will generate work to keep them busy. The net result is that increasing budget results in more work in progress. Increasing budget does not necessarily increase output from the system… much to the frustration of those funding everything.

The first constraint is the capacity of each teams to satisfy demand.

It takes time to shift the capacity of an organisation. Small corrections in capacity involving the movement of staff or work and typically take a couple of months. Increasing the capacity of the organisation which involves hiring new staff can take a few months. Capacity is only increased when the person joining a team is competent. A new person occupying a role is initially a drain on capacity.

The second constraint is the capacity of individuals within the team.

The capacity of a team is a function of the constraints within the team. That is, the capacity of the team is limited by the capacity constraints of the individuals in the team. If the demand for a certain skill exceeds the capacity of the individuals in the team with that skill, then a queue will effectively form in front of the skill capacity and those working behind the constraint will be starved of work and take on lower value work. Even in cross functional feature teams, it takes time for a new member of the team to come up to speed.

Managing the Capacity of Teams in an Organisation

Tony Grout and I developed Demand Mapping at Skype with a large group of collaborators including Lisa Long, Ram Rao, Marina Oliveiro and John Horton. At the same time Dan was developing Delivery Mapping with his clients. This became apparent when Dan North bought me in to one of his clients to introduce it there.

Demand Mapping starts with the understanding that the constraint in organisation is the teams (or scare resource such as servers / server space) rather than the budget. The goal is to create a backlog that optimises the value that can be generated from the (currently) fixed capacity of teams. A secondary goal is to identify constrained teams with no capacity and teams with spare capacity.

Consider a team that consists of four cross function scrum teams that all maintain and develop “Component X”. For the next three months, that team would have twenty four team weeks of capacity ( Four teams times twelve weeks times 50%* ) to work on “Component X”.

We have five initiatives that require the capacity of the “Component X” team. We order the initiatives in terms of the value we expect** them to deliver:

  • Initiative 1 requires 100% of the capacity
  • Initiative 2 requires 50% of the capacity
  • Initiative 3 requires 25% of the capacity
  • Initiative 4 requires 100% of the capacity
  • Initiative 5 requires 25% of the capacity

We can now choose between the scenarios of Initiative 1 only, Initiative 4 only or Initiatives 2, 3, and 5.

We repeat this for all of the teams, creating a portfolio that optimises the delivery of value.

We are left with the portfolio of initiatives for the organisation to deliver, and the capacity utilisation of each team. The teams deliver the first whilst management works to re-balance the second using the tornado map (See Todd Little’s risk presentations) to determine future demand on the teams.

Managing the capacity of individuals within the team.

Rohit Darji and I developed Staff Liquidity and the Skills Matrix a couple of years before I discovered Agile. Dan North took these tools and evolved them into the more elegant and useful Skills Mapping***. He extended the values that individuals self score themselves on to the following.

  1. My current skill level.
  2. The skill level other members of the team would say I have (Moral Hazard).
  3. The skill level I want to have.

Ideally the team then self organises to remove key man dependencies and cross skill to remove constraints within the team. Unfortunately some organisational cultures mean that management need to intervene in order to ensure that skills transfer occurs.

To summarise, manage constraints caused by teams and within teams. Acknowledge that the budget is rarely the constraint. Thats why you need Demand Mapping and Skills Mapping in your tool kit.

My thanks to Joshua Arnold whose post “Resources are the constraint” inspired me to write this.. initially as a comment responding to his post.

* The maximum capacity a team should allow is 50% otherwise queues will naturally build up.

** Expect is probabilistic term. A summary of the range of value based on the probability of them reaching that value. Normally we use a “HIPPO” version of the expectation of value rather than use a formula such as Black Scholes to calculate the value of the option.

*** Check out Dan’s talk at YOW! for a fantastic introduction to Skills Mapping and the rest of Business Mapping… Demand Mapping and Initiative Mapping.